start rsyslog with command line rsyslogd -o /path/to/file and that file will
have the full config as rsyslog sees it.
you probably still have a problem with the order of things, but without seeing
the full config, we can only guess at what's happening.
why do you have so many stop statement? your filters are not overlapping. If you
did not have the stop statements, the order would not matter as they would all
be evaluated.
David Lang
On Mon, 21 Aug 2023, kathy lyons wrote:
Date: Mon, 21 Aug 2023 07:07:40 -0400
From: kathy lyons <kathy.ly...@zayo.com>
To: Rainer Gerhards <rgerha...@hq.adiscon.com>
Cc: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <da...@lang.hm>
Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
That works - thanks! The only thing it does not do is forward the logs we
have configured in /etc/rsyslog.d. Is that correct or is there potentially
a different issue? We put the stops in there because the audit logs were
appearing in /var/log/syslog.
On Fri, Aug 18, 2023 at 3:18 AM Rainer Gerhards <rgerha...@hq.adiscon.com>
wrote:
Move the forwarding rule to the top, that should solve your issue.
Rainer
Sent from phone, thus brief.
David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17.
Aug. 2023, 19:16:
all of those &stop lines are telling rsyslog that if it matches the
filter and
writes it to the file that it should stop processing that message.
As a result, anything that gets written to a local file will stop
processing
before it gets down to your udp sending action
David Lang
On Thu, 17 Aug 2023, kathy lyons wrote:
Date: Thu, 17 Aug 2023 13:12:03 -0400
From: kathy lyons <kathy.ly...@zayo.com>
To: David Lang <da...@lang.hm>
Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
Here it is:
module(load="imfile")
module(load="imuxsock")
module(load="imklog")
module(load="imjournal")
timezone(id="UTC")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
maxMessageSize="128K")
$IncludeConfig /etc/rsyslog.d/*.conf
audit.* action(type="omfile" file="/var/log/audit/audit.log")
& stop
auth.warning;authpriv.info.* action(type="omfile"
file="/var/log/auth.log")
& stop
auth,authpriv.none action(type="omfile"
file="/var/log/syslog")
& stop
cron.info action(type="omfile"
file="/var/log/cron.log")
& stop
daemon.info action(type="omfile" file="/var/log/daemon.log")
& stop
kern.info action(type="omfile" file="/var/log/kern.log")
& stop
user.info action(type="omfile" file="/var/log/user.log")
& stop
local7.* action(type="omfile" file="/var/log/boot.log")
& stop
*.* @x.x.x.x
rsyslogd -N1 shows no errors. strace shows no errors.
On Wed, Aug 16, 2023 at 12:15 PM David Lang <da...@lang.hm> wrote:
please post your full config.
I would also check your firewall config (iptables/nftables) on the
system
to see
if it's blocking the connection.
Also make sure you have a route to the destination IP (you probably
have a
default route that does this, but it is something we've run across)
are you seeing any startup errors? or config errors (start rsyslog
manually with
rsyslogd -N1
if none of that helps, we may need to get debug info, but start with
the
simpler
stuff. Normally this 'just works' so I'd guess that it's a syntax error
somewhere in the config.
David Lang
On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
I hope this is the right place to ask this question. I have a basic
rsyslog setup sending udp data from a Debian 11 host to a remote
server.
At the bottom of my rsyslog.conf file I have:
*.* @x.x.x.x
Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so
I am
not worried about that. The problem is that on the device itself I do
not
see any logs leaving the device. Nor do I see them at the firewall
(x.x.x.x). I have used netcat to see if the remote port is open and
reachable and it is. I have re-install rsyslog and restarted it.
Nothing
seems to work.
However, when I issue the logger command:
logger -n x.x.x.x -P 514 -d "This is a test"
I see that data. What else can I check with my rsyslog setup? Thank
you.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
